Article ID: 815439
Article Last Modified on 2/20/2007
APPLIES TO
- Microsoft Exchange 2000 Server Standard Edition
- Microsoft Exchange 2000 Enterprise Server
SYMPTOMS
When you delegate control of Microsoft Exchange Server configuration objects in Active Directory so another user can delete a mailbox or e-mail address and you assign that user Write permissions to the attributes that are associated with mailboxes, that user may receive an "Access denied" error message as a result when they try to delete a mailbox or e-mail address.
When you follow the instructions from the following Microsoft Knowledge Base (KB) article to manually grant permissions to that delegate user, they can successfully delete the object:
316792 Minimum permissions necessary to perform Exchange-related tasks
CAUSE
This problem may occur if both the following conditions are true:
- You delegate the Exchange View Only Administrator role to a user or group.
- You assign Write permissions to the attributes associated with mailboxes by using the Active Directory Users and Computers utility or by using a third-party utility for account delegation management.
This problem also occurs because some of the attributes to which the delegate user needs permission are not visible in the Active Directory Users and Computers user interface (UI). Additionally, when you delete the mailbox or e-mail address, a number of attributes that are not part of the schema of the object being deleted, are also removed. Because of this, Active Directory must enforce the delegate users permissions against these attributes, although the attributes are not being used.
RESOLUTION
Cumulative Rollup Information
To resolve this problem, obtain the September 2003 Exchange 2000 Server Post-Service Pack 3 (SP3) Rollup. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
824282 September 2003 Exchange 2000 Server post-Service Pack 3 Rollup
Hotfix Information
A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Only apply it to systems that are experiencing this specific problem. This hotfix may receive additional testing. Therefore, if you are not severely affected by this problem, Microsoft recommends that you wait for the next Microsoft Exchange 2000 Server service pack that contains this hotfix.
To resolve this problem immediately, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:
Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.
The global version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Date Time Version Size File name
--------------------------------------------------------------
26-Feb-2003 18:18 6.0.6427.0 69,632 Ccmproxy.dll
26-Feb-2003 18:18 6.0.6427.0 2,109,440 Cdoexm.dll
26-Feb-2003 18:17 6.0.6427.0 8,466,432 Exadmin.dll
26-Feb-2003 18:18 6.0.6427.0 1,867,776 Exmgmt.exe
26-Feb-2003 18:18 6.0.6427.0 73,728 Inproxy.dll
26-Feb-2003 18:18 6.0.6427.0 2,969,600 Mad.exe
26-Feb-2003 18:17 6.0.6427.0 4,648,960 Maildsmx.dll
26-Feb-2003 18:18 6.0.6427.0 77,824 Pcproxy.dll
26-Feb-2003 18:18 6.0.6427.0 94,208 X400prox.dll
STATUS
Microsoft has confirmed that this is a problem in Microsoft Exchange 2000 Server.
MORE INFORMATION
This update resolves this issue by implementing the following changes:
- The Dssec.dat file is removed from the %Systemroot%\System32 folder. This exposes all attributes in the access control list (ACL) editor.
- Only the attributes that are part of the objects schema are edited when you modify the object.
- The list of attributes to which you require Write access now appears when you receive an "Access denied" error message as a result after you try to modify an object. This helps to diagnose permission issues that you may experience with a Delete Mailbox or Disable Mail operation.
After you install this update, the Delete Mailbox operation affects the following attributes:
adminDisplayName Alias - mailNickname altRecipient authOrig extensionAttribute1 extensionAttribute10 extensionAttribute11 extensionAttribute12 extensionAttribute13 extensionAttribute14 extensionAttribute15 extensionAttribute2 extensionAttribute3 extensionAttribute4 extensionAttribute5 extensionAttribute6 extensionAttribute7 extensionAttribute8 extensionAttribute9 deletedItemFlags delivContLength deliverAndRedirect dLMemDefault dLMemRejectPerms dLMemSubmitPerms E-Mail Address - mail Exchange Home Server - msExchHomeServerName Exchange Mailbox Store - homeMDB garbageCollPeriod homeMTA ILS Settings - autoReplyMessage internetEncoding legacyExchangeDN mAPIRecipient mDBOverHardQuotaLimit mDBOverQuotaLimit mDBStorageQuota mDBUseDefaults msExchADCGlobalNames msExchControllingZone msExchExpansionServerName msExchFBURL msExchHideFromAddressLists msExchMailboxGuid msExchMailboxSecurityDescriptor msExchPoliciesExcluded msExchPoliciesIncluded msExchRecipLimit msExchResourceGUID Outlook Web Access Server - folderPathname protocolSettings Proxy Addresses - proxyAddresses publicDelegates securityProtocol showInAddressBook Simple Display Name - displayNamePrintable submissionContLength targetAddress textEncodedORAddress unauthOrig
Additional query words: kbExchange2000preSP4septbarFix XADM
Keywords: kbhotfixserver kbqfe kbqfe kbfix kbexchange2000presp4fix kbbug KB815439
